HIPAA Understood: An Introduction

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.

As an information security consultant, one of the most common regulatory compliance standards I audit against is the HIPAA Final Security Rule. During these audits, I am frequently running into individuals who do not have a full understanding of what is required of both them and their organization. This has prompted me to make some changes to the type information we typically provide to our clients. However, I’ve come to feel that’s not quite enough. To help disseminate this information, I have decided to start a blog series designed to provide weekly information on compliance with this standard. Please remember, this will be specifically addressing the HIPAA Final Security Rule; for questions concerning HIPAA Privacy, I recommend consulting with your legal representative so long as they are well versed in HIPAA law. As a disclaimer, Spohn is not the only company that has or will create a content set like this, there are others out there. If you find my style not to your liking I recommend you find one that suits you to ensure the best impact in your environment.

To begin, we will focus on the General rules under 164.306 Security Standards: General Rules contained within the HIPAA Final Security Rule. The General Rules are a collection of rules which are designed to provide guidelines for controls contained within later sections of the HIPAA Final Security Rule. I’ve gotten many questions on what specific controls should be applied to achieve compliance in these areas, and my answer is always the same; there is not any specific control that will make you compliant for these rules. To achieve compliance in these areas you will have to be compliant in the areas in the remaining sections of the HIPAA Final Security rule. This may sound odd especially as the goal of this series is to provide the details on how to achieve compliance with HIPAA specifically, but I assure you this is as specific as you need to be for the General Rules. The articles following this will address the remainder of the rules in a more specific manner.